Dashboards & Visualizations

Add panel to search home page dashboard

pdash
Path Finder

I want to add another panel to the splunk search page. Like a chart to show all indexes and their usage. How to add to this dashboard? It doesnot show up in existing dashboards.

Tags (1)
0 Karma

DonD3
Engager

Below is the XML for a different approach to solving this problem. The nice thing about doing it this way is that it is formatted in a similar fashion to the Sources, Source types and Hosts tables that already appear on the page. Enjoy! (This was done with Splunk 5.0.4.)

    <!-- The list of indexes-->
<module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="search">| rest /services/data/indexes | fields title totalEventCount updated | rename title AS index, totalEventCount AS Count, updated AS "Last Update" | fieldformat "Last Update"=strftime(strptime('Last Update', "%Y-%m-%dT%T+%3N:%6N"), "%a %b %d %T %Y UTC") | fieldformat Count=tostring(Count, "commas") | eval index=mvfilter(match(index, "^[a-z]")) | where(index!="history") | where(index!="main") | where(index!="sos") | where(index!="sos_summary_daily") | where(index!="splunklogger") | where(index!="summary") | dedup index </param>
   <module name="SimpleResultsHeader">
      <param name="entityName">results</param>
      <param name="headerFormat">Indexes (%(count)s)</param>
      <module name="Paginator">
        <param name="entityName">results</param>
        <param name="maxPages">10</param>
        <module name="SimpleResultsTable">
          <param name="entityName">results</param>
          <param name="drilldown">row</param>
          <module name="HiddenSearch">
            <param name="search">*</param>
            <module name="ConvertToIntention">
              <param name="intention">
                <param name="name">addterm</param>
                <param name="arg">
                  <param name="index">$click.value$</param>
                </param>
              </param>
              <module name="ViewRedirector">
                <param name="viewTarget">flashtimeline</param>
              </module>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>

chris
Motivator

Hi I just had a go at creating the kind of dashboard you wanted to create. The interesting part is at the end. The search i used to get information about the indexes ist:

| rest /services/data/indexes count=0  | chart sum(currentDBSizeMB) by title

You might have to use the splunk_server option if you have a distributed environment and only want to list indexes on specific splunk servers:

| rest /services/data/indexes count=0  splunk_server=myserver | chart sum(currentDBSizeMB) by title



<view stylesheet="dashboard2.css" template="dashboard.html">
  <label>Summary</label>

  <module name="AccountBar" layoutPanel="appHeader" />

  <module name="AppBar" layoutPanel="navigationHeader" />

  <module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
  </module>

  <module name="TitleBar" layoutPanel="viewHeader">
<param name="actionsMenuFilter">dashboard</param>
  </module>

  <module name="SearchBar" layoutPanel="splSearchControls-inline">
<param name="useAssistant">true</param>
<param name="useTypeahead">true</param>
<param name="useOwnSubmitButton">False</param>

<module name="TimeRangePicker">
  <param name="selected">All time</param>
  <param name="searchWhenChanged">False</param>

  <module name="SubmitButton">
    <param name="allowSoftSubmit">True</param>

    <module name="ViewRedirector" layoutPanel="viewHeader">
      <param name="viewTarget">flashtimeline</param>
    </module>
  </module>
</module>
  </module>
  <!--
indexed data panels
-->
  <!-- The first list of sources -->

  <module name="HiddenSearch" layoutPanel="panel_row2_col1" autoRun="true">
<param name="search">| metadata type=sources | search totalCount&gt;0 | rename totalCount as Count recentTime as "Last Update" | table source Count "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "Last Update"=strftime('Last Update', "%c")</param>
<param name="maxCount">100000</param>
<param name="earliest">rt</param>
<param name="latest">rt</param>

<module name="SimpleResultsHeader">
  <param name="entityName">results</param>
  <param name="headerFormat">Sources (%(count)s)</param>
  <!-- SPL-42701.  Add back in later.






<module name="PostProcessFilter">
<param name="prefixSearch">eval _raw=source</param>
-->

  <module name="Paginator">
    <param name="entityName">results</param>
    <param name="maxPages">10</param>

    <module name="SimpleResultsTable">
      <param name="entityName">results</param>
      <param name="drilldown">row</param>

      <module name="HiddenSearch">
    <param name="search">*</param>

    <module name="ConvertToIntention">
      <param name="intention">
        <param name="name">addterm</param>
        <param name="arg">
          <param name="source">$click.value$</param>
        </param>
      </param>

      <module name="ViewRedirector">
        <param name="viewTarget">flashtimeline</param>
        <param name="uriParam.auto_pause">true</param>
      </module>
    </module>
      </module>
    </module>
    <!--
SPL-42701.  Add back in later.
</module>
-->
  </module>
</module>
  </module>

  <module name="StaticContentSample" layoutPanel="panel_row1_col1" group="All indexed data">
<param name="text">This lists all of the data you have loaded into your default indexes. &lt;a href="/manager/search/adddata"&gt; Add more data&lt;/a&gt;.</param>
<param name="groupLabel">All indexed data</param>
  </module>
  <!-- The list of sourcetypes AND the top panel -->

  <module name="HiddenSearch" layoutPanel="panel_row3_col1" autoRun="true">
<param name="search">| metadata type=sourcetypes | search totalCount&gt;0 | rename totalCount as Count recentTime as "Last Update"</param>
<param name="maxCount">100000</param>
<param name="earliest">rt</param>
<param name="latest">rt</param>

<module name="HiddenPostProcess" layoutPanel="panel_row1_col1">
  <param name="search">| stats sum(Count)</param>

  <module name="SingleValue">
    <param name="beforeLabel">Events indexed</param>
    <param name="format">number</param>
  </module>
</module>

<module name="HiddenPostProcess" layoutPanel="panel_row1_col1">
  <param name="search">| stats min(firstTime) as min | eval min=strftime(min,"%c")</param>

  <module name="SingleValue">
    <param name="beforeLabel">Earliest event</param>
    <param name="format">string</param>
  </module>
</module>

<module name="HiddenPostProcess" layoutPanel="panel_row1_col1">
  <param name="search">| stats max(lastTime) as max | eval max=strftime(max,"%c")</param>

  <module name="SingleValue">
    <param name="beforeLabel">Latest event</param>
    <param name="format">string</param>
  </module>
</module>

<module name="HiddenPostProcess" layoutPanel="panel_row3_col1">
  <param name="search">table sourcetype Count "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "Last Update"=strftime('Last Update', "%c")</param>

  <module name="SimpleResultsHeader">
    <param name="entityName">results</param>
    <param name="headerFormat">Source types (%(count)s)</param>

    <module name="Paginator">
      <param name="entityName">results</param>
      <param name="maxPages">10</param>

      <module name="SimpleResultsTable">
    <param name="entityName">results</param>
    <param name="drilldown">row</param>

    <module name="HiddenSearch">
      <param name="search">*</param>

      <module name="ConvertToIntention">
        <param name="intention">
          <param name="name">addterm</param>
          <param name="arg">
        <param name="sourcetype">$click.value$</param>
          </param>
        </param>

        <module name="ViewRedirector">
          <param name="viewTarget">flashtimeline</param>
          <param name="uriParam.auto_pause">true</param>
        </module>
      </module>
    </module>
      </module>
    </module>
  </module>
</module>
  </module>
  <!-- The list of hosts -->

  <module name="HiddenSearch" layoutPanel="panel_row3_col2" autoRun="true">
<param name="search">| metadata type=hosts | search totalCount&gt;0 | rename totalCount as Count recentTime as "Last Update" | table host Count "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "Last Update"=strftime('Last Update', "%c")</param>
<param name="maxCount">100000</param>
<param name="earliest">rt</param>
<param name="latest">rt</param>

<module name="SimpleResultsHeader">
  <param name="entityName">results</param>
  <param name="headerFormat">Hosts (%(count)s)</param>

  <module name="Paginator">
    <param name="entityName">results</param>
    <param name="maxPages">10</param>

    <module name="SimpleResultsTable">
      <param name="entityName">results</param>
      <param name="drilldown">row</param>

      <module name="HiddenSearch">
    <param name="search">*</param>

    <module name="ConvertToIntention">
      <param name="intention">
        <param name="name">addterm</param>
        <param name="arg">
          <param name="host">$click.value$</param>
        </param>
      </param>

      <module name="ViewRedirector">
        <param name="viewTarget">flashtimeline</param>
        <param name="uriParam.auto_pause">true</param>
      </module>
    </module>
      </module>
    </module>
  </module>
</module>
  </module>

  <module name="HiddenSearch" layoutPanel="panel_row1_col2" autoRun="true">
<param name="latest">now</param>
<param name="earliest">-15m</param>
<param name="search"><![CDATA[
| rest /services/data/indexes count=0  | chart sum(currentDBSizeMB) by title
]]></param>

<module name="HiddenChartFormatter">
  <param name="chart">pie</param>
  <param name="chartTitle">Index Sizes</param>

  <module name="JSChart" />
</module>

<module name="SimpleResultsHeader">
  <param name="entityName">results</param>
  <param name="headerFormat">Indexes (%(count)s)</param>

  <module name="Paginator">
    <param name="entityName">results</param>

    <module name="SimpleResultsTable" />
  </module>
</module>
  </module>
</view>
0 Karma

chris
Motivator

I'm assuming you're talking about this view at
http://yourserver/en-US/manager/search/data/ui/views:
alt text
The view/dashboard is in:
$SPLUNK_HOME/etc/apps/search/default/data/ui/views/dashboard_live.xml

You can go to the manager in the search app click "User Interface" and then "Views" there you see the dashboard_live you can clone it or edit it directly
alt text

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...